10 - cip-002-5.1 medley - carr

CIP v5 Workshop CIP-002-5.1 Medley

Salt Lake City, UT September 9, 2015

Bryan Carr PMP, CISA, PSP

Compliance Auditor, Cyber Security Western Electricity Coordinating Council

Speaker Intro: Bryan Carr • Joined WECC in August 2012 • Dr. TFE (Emeritus) • Past compliance Program Manager at PacifiCorp • Prior experience in project and program

management

September 10, 2015 Western Electricity Coordinating Council

2

Agenda

• CIP-002-5.1 Requirements • CIPv5 Transition Guidance • Pre-Audit Data Request • Lessons Learned & FAQs • Site Visits • Questions

Western Electricity Coordinating Council

3

Daily Dose of Dilbert Slide 4


CIP-002-5.1: R1 • Each Responsible Entity shall implement a process that

considers each of the following assets for purposes of parts 1.1 through 1.3: [Violation Risk Factor: High][Time Horizon: Operations Planning] – i. Control Centers and backup Control Centers; – ii. Transmission stations and substations; – iii. Generation resources; – iv. Systems and facilities critical to system restoration,

including Blackstart Resources and Cranking Paths and initial switching requirements;

– v. Special Protection Systems that support the reliable operation of the Bulk Electric System; and

– vi. For Distribution Providers, Protection Systems specified in Applicability section 4.2.1 above.


5

CIP-002-5.1: R1.1 - R1.3 • Each Responsible Entity shall implement a process

that considers each of the following assets for purposes of parts 1.1 through 1.3: – 1.1. Identify each of the high impact BES Cyber Systems

according to Attachment 1, Section 1, if any, at each asset;

– 1.2. Identify each of the medium impact BES Cyber Systems according to Attachment 1, Section 2, if any, at each asset; and

– 1.3. Identify each asset that contains a low impact BES Cyber System according to Attachment 1, Section 3, if any (a discrete list of low impact BES Cyber Systems is not required).


6

CIP-002-5.1: Direction • CIP-002-5.1 R1.1 - R1.3 are applicable for the

transition period in lieu of the CIP-002-3 R2 list of Critical Assets (Option 3).

• Focus on High BCS (R1.1) and Medium BCS (R1.2) for immediate CIPv5 compliance efforts (Option 3).

• Compliance date for Low impact BES Assets on April 1, 2017. – Be sure to use CIP-003-6 when developing program and

controls for Lows – Four programmatic controls specified in CIP-003-6

Attachment 1 – Don’t ignore, but don’t prioritize for now.


7

CIPv5 Transition Guidance • As a practical matter, NERC understands that

Responsible Entities cannot complete transition to the CIP V5 Standards in a single instance; rather, transition to full implementation will occur over a period of time as Responsible Entities develop the necessary procedures, software, facilities, or other relevant capabilities necessary for effective compliance with the CIP V5 Standards. (NERC, 2014 Aug 12, Transition Guidance, p. 2)


8

CIPv5 Transition Guidance • To help ensure that they are fully compliant with the CIP

V5 Standards upon the effective date, Responsible Entities may need or prefer to transition from compliance with the requirements of the CIP V3 Standards to implementation of the requirements of the CIP V5 Standards during the Transition Period. As such, there may be a period of time prior to the effective date of the CIP V5 Standards date when Responsible Entities begin to operate in accordance with the CIP V5 Standards while the CIP V3 Standards are still mandatory and enforceable. (NERC, 2014 Aug 12, Transition Guidance, p. 2).


9

CIP v5 Transition Options*

*see Options Table (NERC, 2014 Aug 12, Transition Guidance, p. 5)


10

CIP v5 Transition Guidance

• WECC recommends entities choose Option 3 and immediately start transitioning to CIPv5 compliance – Freeze your CIPv3 program – Roll forward the “mostly

compatible” parts of CIPv3 – Integrate the remaining elements of

CIPv5 • Not a huge burden for CIP-002-5.1

compliance, but may present challenges for other Standards.

• A feasible sequence of Standards for transition efforts


11

An Entity Documents Option 3 Slide 12


Quiz Time

• In 1916, how much did the U.S. pay for the Danish West Indies (Virgin Islands)?

$25,000,000 in gold

Slide 13


Attachment G*: CIP-002-5.1 Evidence • [R1]: Provide documentation of the process and its

implementation to consider each BES asset included in the asset types listed in R1.i - R1.vi to identify the following lists: – [R1.1]: A list of High impact BCS at each asset identified by application

of Attachment 1, Section 1. – [R1.2]: A list of Medium impact BCS at each asset identified by

application of Attachment 1, Section 2. – [R1.3]: A list of identified Low impact BES Assets identified by

application of Attachment 1, Section 3]. • [R2]: Signed and dated records of the CIP Senior Manager or

delegate reviews and approvals of the identifications required by R1, even if such lists are null.

* 2016 Attachment G document is still in progress and may change to some degree, but these basic sets of evidence will expected in the initial evidence package.

Slide 14


Lessons Learned


15

• “Throughout the Implementation Study, study participants identified potential issues and asked NERC and Regional Entity staff to clarify certain aspects of the CIP Version 5 standards, or confirm that their approach was consistent with good security practices and compliance expectations.” (NERC, 2014 Aug 12, Transition Guidance, p. 23).

What is a Lesson-Learned?

• One of the key goals of the pilot study was to develop Lessons-Learned by the study participants to: – Inform and support entity transition activities – Identify obstacles – Develop commonly understood solutions

• This portion of the presentation will cover WECC’s current understanding of the Lessons-Learned and FAQs [LL/FAQ] relative to CIP-002-5.1

16


http://www.nerc.com/pa/CI/Pages/Transition-Program-V5-Implementation-Study.aspx


What is a Lesson-Learned? • To date, there are currently 23 LL/FAQ in various stages

of development (NERC, 2014 Oct, Implementation Study Final Report: Table 7, pp. 24-26).

• Most Lesson-Learned documents were developed under this preamble: – This document is designed to convey lessons learned from

NERC’s various activities. It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing reliability standards. Compliance will continue to be determined based on language in the NERC Reliability Standards as they may be amended from time to time. Implementation of this lesson learned is not a substitute for compliance with requirements in NERC’s Reliability Standards.

17


http://www.nerc.com/pa/CI/tpv5impmntnstdy/Planned%20Lessons%20Learned%20and%20FAQs.pdf

http://www.nerc.com/pa/CI/tpv5impmntnstdy/Planned%20Lessons%20Learned%20and%20FAQs.pdf

Caveats • WECC does not provide prescriptive solutions, but

bases its audit approach on the CIPv5 Standards and makes recommendations based on Best Practices.

• As of this presentation, most of the LL/FAQ documents are still fluid and may change before their final versions. – If significant changes are introduced, WECC’s audit approach

relative to the LL/FAQ may also change. – While WECC does not expect major changes in direction, if

they do occur, the WECC CIP Team will publicize any impacts on its CIPv5 audit approach as soon as possible.

18




Lessons Learned Summary Requirement: Title Description Type

1. CIP‐002‐5 R1: Impact rating of generation resources (generation segmentation)

What options are available to categorize the impact rating of BES Cyber Assets at plants greater than 1500 MW?

LL

2. CIP‐002‐5 R1: Relay protection in substations with different impact ratings (i.e., far‐end relay/transfer trip)

How should the impact rating of line protection relays at each end of a transmission line connecting two substations be determined?

LL

3. CIP‐002‐5 R1: Programmable electronic devices

What are some practical examples for what is or is not a programmable electronic device?

LL

19



4. CIP‐002‐5 R1: BES impact of transmission scheduling systems

Should transmission scheduling systems be considered medium- or high-impact rating BES Cyber Systems?

LL

5. CIP‐002‐5 R1: Identifying BES Cyber Systems and BES Cyber Assets

What are some practical approaches to identify BES Cyber Systems and BES Cyber Assets?

LL

6. CIP‐002‐5 R1: Distributed BES Cyber Assets at generating plants and substations

Are instrumentation devices such as sensors, actuators, and controllers considered to be programmable electronic devices? If so, what methods would be appropriate to secure them from a compliance perspective?

LL

20


Lessons-Learned / FAQ Summary Requirement: Title Description Type

7. CIP‐002‐5 R1: Grouping BES Cyber Assets

What are the advantages of grouping BES Cyber Assets into BES Cyber Systems, and how can this help demonstrate compliance?

LL

8. CIP‐002‐5 R1: Shared equipment at a substation

What issues need to be addressed related to substations that are shared by different entities (e.g., identifying ownership, compliance responsibilities, emergency management, physical access controls)?

LL

9. CIP‐002‐5 R1: Applicability of Control Centers to Transmission Operators (TOP) and Transmission Owners (TO)

How would CIP‐002‐5 Attachment 1 criterion 2.12 apply to medium‐impact Control Centers if the functional obligations are performed by the TO on behalf of the TOP?

LL

21



10. CIP‐002‐5 R1: Generation interconnection points

Clarify the terms “generation interconnection point,” “generation interconnection Facility,” and “collector bus” for the purposes of applying CIP‐002‐5 Attachment 1 impact rating criteria 2.1 and 2.2.

LL

11. CIP‐003‐5 R2: Medium‐impact rating, non‐routable, no dial‐up access Cyber Assets

What is the complete set of CIP Version 5 Requirements that apply to BES Cyber Systems without routable or dial‐up access?

LL

17. CIP‐006‐5 R1: Multiple physical access controls

Discuss options for using two or more physical access controls for high‐impact BES Cyber System Physical Security Perimeters.

LL

22


Lessons Learned

• Two published/final related to CIP-002-5.1 – Generation Segmentation – Far-End Relay


23

1a. Generation Segmentation Requirement: Title Description CIP‐002‐5 R1: Impact rating of generation resources (generation segmentation)

What options are available to categorize the impact rating of BES Cyber Assets at plants greater than 1500 MW?

Impact of the Lesson‐Learned on WECC Audit Approach

This LL describes the options used by pilot study participants for identifying BCS located at generation plant sites with a net Real Power capability => 1500 MWs. The LL provides two options for protecting BCS at such generation sites: A. Protect the BCS as Medium-impact at a single location, in which the all CIP

standards are applicable B. Segment the Generating Units and their Associated BCS to ensure no BCS could

have an adverse impact on any combination of units =>1500 MWs within 15 minutes. If this option is chosen, the entity must provide sufficient evidence that all BCS have been segmented effectively, such that there are no common-mode vulnerabilities that could cause the loss of 1500 MW or more at the plant site.

24


http://www.nerc.com/pa/CI/tpv5impmntnstdy/CIPv5_LL_GenerationSegmentation_Nov_25_2014.pdf



1b. Generation Segmentation Acceptable Evidence of Generation Segmentation

This evidence could include engineering analyses that demonstrate effective segmentation of, for example:

• Systems protected by the segmented unit network. • Components shared by multiple generating units or group of units, and

analysis that loss, compromise, or misuse of the BES Cyber Systems could have on the reliable operation of the BES within 15 minutes.

• BES Cyber Systems shared by multiple generating units or group of units, and analysis that loss, compromise, or misuse of the BES Cyber Systems could have on the reliable operation of the BES within 15 minutes.

• Network interfaces between each generating unit or group of units and external networks (e.g., firewall rules).

25


1c. Generation Segmentation Impact of the Lesson‐Learned on WECC Audit Approach

When reviewing entity BCS evaluations relative to IRC 2.1, WECC will expect evidence that indicates the entity evaluated the aggregate highest net rated Real Power capability of the preceding 12 calendar months to establish the generation plant’s net output relative to the 1500 MW threshold. If the plant net output equals or exceeds the 1500 MW threshold, WECC will expect documentation demonstrating all BCS, including, but not limited to, DCS, fuel, air, and water support systems at the plant were examined to test the second condition in IRC 2.1 of an adverse impact within 15 minutes for any combination of units that equal or exceed 1500 MW. BCS that meet both conditions should be classified as Medium-impact BCS, while BCS that fail one or both conditions should be classified as Low-impact BCS (the dual conditions are also true for IRC 2.2).

26


2. Far End Relays Requirement: Title Description CIP‐002‐5 R1: Relay protection in substations with different impact ratings (i.e., far‐end relay/transfer trip)

How should the impact rating of line protection relays at each end of a transmission line connecting two substations be determined?

Impact of the Lesson‐Learned on WECC Audit Approach

This LL clarifies that line protection relays at each end of a transmission line connecting two substations may have different BCS impact ratings. The rating of each relay is dependent on whether the Transmission Facilities at the station or substation at which the relay is located meets the rating criteria for Medium- or Low-impact. Although the term “SPS” is being replaced by the more generic term “RAS,” this same LL concept may apply to all SPS and RAS that do NOT meet IRC 2.9.

WECC will review the entity’s R1.1, R1.2, & R1.3 lists and ask questions, as necessary, to determine the effectiveness of the process implemented to create these lists.

27


http://www.nerc.com/pa/CI/tpv5impmntnstdy/CIPv5_LL_ImpactRatingFarEndRelays_Nov_25_2014.pdf



Quiz Time

Name of electric utility serving the U.S. Virgin Islands?

WAPA Virgin Islands Water and Power Authority

Slide 28


FAQ 45 Slide 29


FAQ 49 Slide 30


FAQ 52 Slide 31


Quiz Time

• What is the primary generation fuel source on the U.S. Virgin Islands?

Fuel Oil

Slide 32


CIP Site Visits

• Purpose • What to expect • Rules of engagement • Tips


33

Site Visit Purpose

• “… auditors obtain reasonable assurance that evidence is sufficient and appropriate to support the auditors’ findings and conclusions in relation to the audit objectives.” (GAGAS, p. 124)

• Visual Verification • Direct Observation


34

What to Expect…

• Data Requests – Site Visit Analysis

• Typically for large numbers of assets/facilities or complex systems

• Seeking clarification and additional information to make informed decisions

– Site Visit Data Request • List sites selected, propose schedule


35

Site Visit DR Example The WECC Audit Team requests: Please schedule tours on Wednesday (September 9, 2015) of the following BILL BES Assets, including all areas with BES Cyber Systems located at: Day One (September 9, 2015)

– Primary Control Center – Backup Control Center – Substation1 – Substation2

BILL shall propose a meeting location, route, and schedule that optimizes the time the WECC audit team will have available at each BES Asset and minimizes the impact the audit team will have on BILL operations. If possible, the WECC audit team would like to end the tour at the facility nearest the audit team location, but the team is flexible and understands any operational requirements for BILL scheduling. The WECC audit team recognizes that BILL has BES operational responsibilities at the BES Asset(s) and will make an effort to minimize interference with the duties of BILL personnel once on site.


36

Site Visit DR Example During the tour, BILL will provide Subject Matter Experts in the three standards (CIP-002, CIP-005, & CIP-006) and the following hard copy lists and/or diagrams for use by the WECC Audit team during the site visits: • For each Asset identified as a BILL Asset containing High BCS or Medium BCS, BILL shall provide

hard copies (filtered by location) of its inventory of BCS at each site. This inventory should contain sufficient information to support validation of the entity’s compliance efforts at each location. For each Asset identified as a Low-impact BES Asset, please be prepared to discuss planned CIP protections including any expected LERC and LEAP implementations.

• For each site with one or more ESPs, BILL shall provide a hard copy diagram of each such ESP. If there is no ESP, please provide a network diagram to support the validation of the BCS perimeter(s).

• For each site with one or more PSPs, BILL shall provide a hard copy diagram of each such PSP. If there is no PSP, please provide a physical diagram to allow the CIP-006 audit team to note current physical protections for the BES Asset.

The WECC audit team will use these documents to validate BCS, ESPs, and PSPs and will annotate the documents while on site. The WECC audit team will return these documents to BILL prior to leaving each site. A separate DR – subsequent to the site visits – will request scanned PDF copies of the annotated lists and/or diagrams for review and inclusion into the audit records.


37

Rules of Engagement

• WECC Audit Team WILL: – Work to make everyone feel at ease and comfortable

through open and candid dialogue – Verify lists and drawings against actual deployment – Typically split into two groups – CIP-002 and 005

together, with CIP-006 on its own – Ask SMEs to perform ALL tasks & testing (login, open

cabinet doors, generate failed login attempts, hold door open, etc.)

– Notify you of concerns/issues identified


38

Rules of Engagement

• WECC Audit Team WILL NOT: – Attempt to ditch their escorts – Touch any equipment, keyboards, buttons,

switches, levers, dials, etc. – Attempt to ditch their escorts – Ask the SMEs to do anything that poses a risk to

reliable operation of the BES – Play the gotchya game


39

CIP Site Tours – Helpful Tips

• The cast of Ben Hur isn’t necessary to ensure a successful site visit

• Tailboards and other site-specific safety meetings are great

• Be sure the right SMEs are there, and prepared


40

References • FERC. (2013 December 3). Order No. 791: Version 5 Critical

Infrastructure Protection Reliability Standards. 18 CFR Part 40: 145 FERC ¶ 61,160: Docket No. RM13-5-000. Published in Federal Register: Vol. 78, No. 232 (pp. 72756-72787). Retrieved from http://www.gpo.gov/fdsys/pkg/FR-2013-12-03/pdf/2013-28628.pdf

• NERC. (2013 November 22). CIP-002-5.1 – Cyber Security Standard – BES Cyber System Categorization. Retrieved from http://www.nerc.com/_layouts/PrintStandard.aspx?standardnumber=CIP-002-5.1&title=Cyber%20Security%20—%20BES%20Cyber%20System%20Categorization&jurisdiction=null

• NERC. (2014 April). Bulk Electric System Definition Reference Document (Version 2). Retrieved from http://www.nerc.com/pa/Stand/Project%20201017%20Proposed%20Definition%20of%20Bulk%20Electri/bes_phase2_reference_document_20140325_final_clean.pdf


41

http://www.gpo.gov/fdsys/pkg/FR-2013-12-03/pdf/2013-28628.pdf

http://www.nerc.com/_layouts/PrintStandard.aspx?standardnumber=CIP-002-5.1&title=Cyber%20Security%20%E2%80%94%20BES%20Cyber%20System%20Categorization&jurisdiction=null



http://www.nerc.com/pa/Stand/Project%20201017%20Proposed%20Definition%20of%20Bulk%20Electri/bes_phase2_reference_document_20140325_final_clean.pdf



References

• NERC. (2014 August 12). Cyber Security Standards Transition Guidance: ERO Compliance and Enforcement Activities during the Transition to the CIP Version 5 Reliability Standards. Retrieved from http://www.nerc.com/pa/CI/Documents/V3-V5%20Transition%20Guidance%20FINAL.pdf

• NERC. (2014 September 17). Glossary of Terms used in NERC Reliability Standards. Retrieved from http://www.nerc.com/pa/stand/glossary%20of%20terms/glossary_of_terms.pdf

Slide 42


http://www.nerc.com/pa/CI/Documents/V3-V5%20Transition%20Guidance%20FINAL.pdf

http://www.nerc.com/pa/CI/Documents/V3-V5%20Transition%20Guidance%20FINAL.pdf

http://www.nerc.com/pa/stand/glossary%20of%20terms/glossary_of_terms.pdf

http://www.nerc.com/pa/stand/glossary%20of%20terms/glossary_of_terms.pdf

Speaker Contact Information

Bryan Carr [email protected] 801-819-7691

Slide 43


mailto:[email protected]